IBM Guardium

 View Only

Deployment Steps for CipherTrust Transparent Encryption for Kubernetes

By Tamil Selvam R posted Wed December 18, 2024 05:24 AM

  

Deployment Steps for CipherTrust Transparent Encryption for Kubernetes

Overview: Deploying CipherTrust Transparent Encryption (CTE) for Kubernetes ensures that sensitive data within containers and persistent volumes is securely encrypted. The following steps outline the necessary procedures to deploy this solution effectively, with an emphasis on integration with Kubernetes clusters and seamless operationalization.


Prerequisites

Before you begin the deployment process, ensure the following prerequisites are met:

  • Kubernetes Cluster: You should have a running Kubernetes cluster (version 1.18 or later) on which you will deploy the CipherTrust Transparent Encryption solution.
  • CipherTrust Manager: Ensure that CipherTrust Manager is installed and accessible. It serves as the centralized control point for managing encryption policies, keys, and access controls.
  • Persistent Storage: You need a persistent storage solution integrated with Kubernetes (e.g., NFS, AWS EBS, Azure Disk, etc.) for storing encrypted data.
  • CipherTrust Kubernetes Operator: The CipherTrust Kubernetes Operator must be installed on your cluster to facilitate integration and manage encryption policies.

Deployment Steps

1. Prepare the Kubernetes Cluster

Ensure that your Kubernetes cluster is ready for deployment and configured correctly.

  • Ensure that the cluster has persistent volume support.
  • Verify that the kubectl CLI is configured to interact with the Kubernetes cluster.
  • Check the Kubernetes version to ensure compatibility with CipherTrust Transparent Encryption.

   kubectl version

2. Install CipherTrust Kubernetes Operator

The CipherTrust Kubernetes Operator automates the deployment and management of CipherTrust Transparent Encryption within the cluster.

  • Deploy the CipherTrust Operator to your Kubernetes cluster. This can be done using a Helm chart or manually using Kubernetes manifests.

Using Helm:

helm repo add Thales https://thalesgroup.github.io/helm-charts
helm install cte-operator Thales/cte-operator

Using kubectl (Manual): Download the Kubernetes manifest for the CipherTrust Operator from the Thales repository and apply it.

kubectl apply -f cte-operator-deployment.yaml

3. Configure CipherTrust Manager

Before applying encryption policies, you need to configure the CipherTrust Manager (CTM) to manage encryption keys.

  • Log in to the CipherTrust Manager interface.
  • Set up encryption keys for Kubernetes. Ensure that keys are securely stored and are accessible by the Kubernetes operator.

Example:

  1. Navigate to Encryption Keys in the CipherTrust Manager UI.
  2. Create a new encryption key or import an existing one.
  3. Ensure that the key is configured with appropriate access controls and is bound to the Kubernetes namespace(s) where encryption will be applied.

4. Deploy the CipherTrust Transparent Encryption (CTE) Pod

Once the CipherTrust Kubernetes Operator and CipherTrust Manager are set up, deploy the CTE Pod into your Kubernetes cluster. This Pod will handle the encryption and decryption of sensitive data.

kubectl apply -f cte-pod-deployment.yaml

Ensure that the Pod is running and successfully communicates with the CipherTrust Manager for key management.

kubectl get pods -l app=cte

5. Define Encryption Policies

With the operator running, define encryption policies for Kubernetes resources, such as Persistent Volume Claims (PVCs), and map them to the appropriate encryption keys from the CipherTrust Manager.

Example Encryption Policy for a PVC:

apiVersion: apps/v1

kind: Deployment

metadata:

  name: secure-app

spec:

  replicas: 1

  template:

    metadata:

      labels:

        app: secure-app

    spec:

      containers:

      - name: secure-container

        image: your-app-image

        volumeMounts:

        - name: secure-volume

          mountPath: /data

      volumes:

      - name: secure-volume

        persistentVolumeClaim:

          claimName: secure-pvc

---

apiVersion: v1

kind: PersistentVolumeClaim

metadata:

  name: secure-pvc

spec:

  accessModes:

    - ReadWriteOnce

  resources:

    requests:

      storage: 10Gi

  storageClassName: standard

Ensure the PVC is associated with the correct encryption key managed by the CipherTrust Manager.

6. Enable Per-Container Data Encryption

To enforce encryption on a per-container basis, configure your containers to apply encryption to sensitive data stored in volumes.

Example of configuring a container for encryption:

  • Define the encryption policy in the container’s deployment YAML file, specifying the encryption key and required encryption parameters.

apiVersion: apps/v1

kind: Deployment

metadata:

  name: encrypted-app

spec:

  replicas: 1

  template:

    metadata:

      labels:

        app: encrypted-app

    spec:

      containers:

      - name: encrypted-container

        image: secure-image

        env:

        - name: CTE_ENCRYPTION_KEY

          value: "<encryption-key-id>"

        volumeMounts:

        - name: encrypted-storage

          mountPath: /encrypted-data

      volumes:

      - name: encrypted-storage

        persistentVolumeClaim:

          claimName: encrypted-pvc

7. Enable Access Control and Logging

Once the encryption policies are applied, configure user and process-based access controls. This ensures that only authorized users and processes can access or decrypt sensitive data.

  • Implement Role-Based Access Control (RBAC) for encryption keys and storage resources.
  • Enable logging to capture detailed audit information for access to encrypted data. This will provide visibility into who accessed what data and when.

Example RBAC Policy for Encryption Key Access:

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

  namespace: default

  name: encryption-key-access

rules:

- apiGroups: [""]

  resources: ["secrets"]

  verbs: ["get", "list"]

Enable audit logging in the CipherTrust Manager for full transparency and monitoring.

8. Test the Deployment

Once the deployment steps are complete, test the encryption process to ensure that data is being properly encrypted and decrypted by the CipherTrust Transparent Encryption solution.

  • Write data to the encrypted PVC.
  • Check that the data is encrypted on the disk and can only be decrypted by authorized processes.
  • Verify the audit logs to ensure proper access controls and data tracking.

Example test command:

kubectl exec -it <pod-name> -- cat /encrypted-data/testfile

This should show encrypted content if encryption is working properly.

SUMMARY:
 Deploying CipherTrust Transparent Encryption (CTE) on Kubernetes ensures secure encryption of sensitive data in containers and persistent volumes, leveraging the CiphereTrust  Manager and Kubernetes Operator. The Process involves configuration encryption keys, defining policies, and enabling access control and logging for effective data security.

Contribute by Tamilselvam R(tamilselvam.ramalingam@ibm.com) reviewed by Sudhagar Tiroucamou (stirouca@in.ibm.com).

0 comments
7 views

Permalink